CLTRe Insights: demonstrate changes in security culture

Building a strong culture takes commitment, but it is arguably the most important aspect of your workplace.  So, it makes sense to invest some time and effort to get right.

Organizations interested in improving their information security culture are encouraged to adopt verified information security culture practices and to periodically assess their organization’s culture using validated tools to determine if those practices are effective.  Organizations are required by GDPR to demonstrate the effectiveness of their organizational security controls.

Beyond compliance, another key reason to measure security culture is to understand how it changes and evolves over time.  Repeating measurements using a reliable and valid measurement instrument, enables organizations to understand how security culture changes and correct course if needed.  A measurement instrument that measures security culture must be able to measure the changes in the organization and report these changes in a meaningful way.

Every CLTRe Toolkit includes its own security culture reporting tool.  CLTRe Insights has a powerful analytics engine which means it is able to provide an array of different reports to show the changes to the organization as a whole, or by drilling down on a specific business unit, department or team, for example.  The value of being able to measure security culture repeatedly becomes quite clear when looking at the results.

Overall security culture scores for employees in “HQ”, 2016-2018

The image above shows the overall change in security culture maturity over 3 years for a group of employees (‘HQ’) in an organization. In this example, the average security culture score of ‘HQ’ has increased from 56 in 2016, determined by our researchers to be a moderately ‘problematic’ score, to 81 in 2018, which our researchers have determined is a ‘satisfactory’ score for the security culture of these employees.

Within CLTRe Insights, the security culture reporting tool, this same data is also shown as a radar diagram, which reveals how such a dramatic improvement in HQ was possible.

By revealing how the overall score is divided into the seven dimensions of security culture, the radar diagram shows how security culture changed in ‘HQ’ from 2016 to 2018.  This allows security culture managers to see the effectiveness of their efforts on improving particular dimensions of security culture.

Across all dimensions, the security culture scores before 2018 were each at a ‘problematic’ or ‘insecure’ level (i.e. they ranged between 55 and 74). With the exception of communication and norms, the radar diagram shows that some improvement can be seen in all dimensions between 2016 and 2017, despite relatively minor improvement overall.

In comparison, the changes between 2017 and 2018 are much more dramatic, and the radar diagram shows us why.

After significant changes, a dramatic increase in the sense of responsibility towards security can be seen in this group of employees (24-point increase) as well as in how they understand security (cognition), their attitudes towards security and, importantly, in their behaviors.

What is also useful is that this diagram also shows us where improvement is still needed. For example, adherence to rules and policy (compliance) in this group is still less than satisfactory.

Culture is not built overnight. To get an understanding of how security culture is changing over time is a key reason to measure security culture, but this is only possible with a reliable standard of measurement that can be repeated over several years. A measurement instrument that measures security culture must be able to measure the differences and report these differences in a meaningful way.

Using a reliable and valid measurement instrument like the CLTRe Toolkit, enables organizations to get a snapshot of their security culture at
any point in time so that they can honestly evaluate the “as is” state of their security culture and get a detailed risk profile of their organisation. As an added bonus, measuring security culture helps organizations to demonstrate the effectiveness of their organizational security controls, as required by GDPR.

Measuring security culture can help you and your team better achieve your security and business objectives. For more information about the types of reports available from security culture and their use-cases, please get in touch with your questions. To book a demo, go to:

Edit: Radar view updated, 3 Nov

Related Posts